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Motivation 


Malware 
Human Analyst 


em: Sandbox ин 


configuration 
data! 
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Why do we need malware-configuration data? 


Many variants of malware code are almost 
unchanged, and only configuration data is 
different. 


n, there is no 


Configuration data contains important information 
that cannot be obtained by Sandbox analysis. 


° nc campaign id, encryption E etc. 
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How to Extract Malware Configuration Data Manually 


It's very simple. 
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How to Extract Malware Configuration Data Manually 


Malware Analysis 


- 


ET 


e Understand encryption techniques 


e Understand configuration 
structures 


How to Extract Malware Configuration Data Manually 


That's all. 


In PlugX data, 
PlugX main module and configuration are encoded. 


Injection Process 
Decoded Code Decmpress 


LZNT1 Compress PlugX 
PlugX 


Encoded Code 
& 


PlugX 
& 
Config 


Encoded + LZNT1 
Config 
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PlugX uses a custom encoding method. 


Config size 0x2540 


for i in range(strings_len-4):< 
set] = (((decode key << 7) - (decode key >> 3) + i + 1899663297) >> 16) ^ (((decode key << 7) - (decode key >> 3) + i + 1899663297) >> 24) & Oxffffffffe 


decode key = ((decode key << 7) - (decode key >> 3) + i + 1899663297) 4, Oxffffffffe 
result data = (decode key & Oxff) ^ ((decode key >> 8) & Oxff) ^ encode data[i] ^ set! & Oxffe< 


Config size 0x36A4 


key] = encode key 


= 2014 
key? = encode key ^ 353< 


for i in range(strings_len):< 
keyl += 3373 & Üxffffffffe 
22 -= 39779 4 Oxffffffffe 
ult data = ord(encode datali]) ^ (((Кеу? >> 18) & Oxff ^ ((key2 & Oxff ^ (((Кеу! >> 16) & Oxff ^ (кеуі - (key! >> 8) & Oxff)) 
- (keyl >> 24) & Üxff)) - (кеу? >> 8) & Oxff)) - (кеу? >> 24) & Oxff)e 
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PlugX Configuration Structures 


struct PlugXConfig HostInfo hostll; int delete file time; 
1 HostInfo host12; char ScreenCaptureFile[512]; 
int hide_flag; HostInfo host13; int vall; 
int field_4; HostInfo hostl4; --int16 vall portl; 
int field 8; HostInfo host15; 74 _int16 vall 2; 
int field_C; HostInfo hostl6; int val2; 
int field 10; char HTTP[2048]; __int16 val2 portl; 
int DeleteFlag; char Ргоху1 [196]; --intl6 val2 2; 
int KeylogFlag; char Proxy2[196]; int val3; 
int field 1C; char Proxy3[196]; _int16 val3 portl; 
int UnknownFlag; char Proxy4[196]; __int16 val3_2; 
int field_24; int Install_mode; int val4; 
char timerl 1; char InstallDir[512]; __int16 val4_portl; 
char timerl 2; char ServiceName[512]; __int16 уа14 2; 
char timer1 3; char ServiceDisplayName[512]; int IPrangeSearchFlag; 
char timerl 4; char ServiceComment [512]; int ipdtartl; 
char timer2 1; int InstallRegkey; int ipstart2; 
char timer2 2; char RunKeyName[512]; int ipstart3; 
char timer2 3; char RunKeyValueName [512]; int ipstart4; 
char timer2 4; int InjectionFlag; int ipendl; 
char host access timetable[672]; char Process1[512]; int ipend2; 
char DNS[16]; char Process2[512]; int ipend3; 
HostInfo hostl; char Process3[512]; int ipend4; 
HostInfo host2; char Process4[512]; char vall4; 
HostInfo host3; int UACFlag; char уа115; 
HostInfo host4; char UACProcess1[512]; char vall6; 
HostInfo host5; char UACProcess2[512]; char уа117; 
HostInfo host6; char UACProcess3[512]; char уа118; 
HostInfo host7; char UACProcess4[512]; char vali9; 
HostInfo hosts; char 10115121, char field_36A2; 
HostInfo host9; char 102(5121; char field_36A3; 
HostInfo host10: char Mutexf5121: ы 
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TSCookie uses only RCA for encryption. 


Decoded Code 


TSCookie 


Code TSCookie 


RC4 Config 


Encrypted 
Resource 
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TSCookie Configuration Structure 


struct config 


int field 0; 

int portl 1; 

int portl 2; 

int server flagl; 
char зегуег1 [240]; 
int field 100; 

int port2 1; 

int port2 2; 

int server flag2; 
char server2[240]; 
int field 200; 

int port3 1; 

int port3 2; 

int server flag3; 
char server3[240]; 
int field 300; 

int port4 1; 

int port4 2; 

int server flag4; 
char server4[240]; 
char proxy server[128]; 
int proxy port; 

char field 484[124]; 
char id[256]; 

int field 600; 

int rc4 key; 

char field 608[660]; 
int sleep time; 


}; 
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What is MalConfScan? 


— MalConfScan is a Volatility plugin that extracts 
configuration data of known malware. 

M Volatility is an open-source memory forensics framework 
for incident response and malware analysis. 

— MalConfScan searches for malware in memory images 
and dumps configuration data. 
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Example (RedLeaves configuration data) 


mal@works:/opt/vol2.4$ python vol.py malconfscan -f mem.image --profile=Win7SP1x86 -p 3872 
Volatility Foundation Volatility Framework 2.4 

[+] Searching memory by Yara rules. 

[+] Detect malware by Yara rules. 


[+] Process Name : iexplore.exe 
[+] Process ID 203872 

1-1 Malware name : Lavender 

[+] Base Address(VAD) : 0x530000 

ES Size : 0хСС000 


Process: iexplore.exe (3872) 


[Config Info] 


Serverl : firefoxcomt.arkouowi.com 

Server2 : update.arkouowi.com 

Server3 : firefoxcomt.arkouowi.com 

Server4 : update.arkouowi.com 

Port : 443 

Mode : TCP and HTTP 

ID : 2018-1-8-NewBattle 

Mutex : jH10689DS 

Key : babybear 

UserAgent : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2 


Proxy server 
Proxy username 
Proxy password 
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Supported Malware Families 


Supported Malware Families 


Ursnif TSCookie AZORult 
Emotet TSC_Loader NanoCore RAT 
Smoke Loader xxmm AgentTesla 
Poisonlvy Datper FormBook 
CobaltStrike Ramnit NodeRAT 
NetWire HawkEye njRAT 
PlugX Lokibot TrickBot 
RedLeaves Bebloh Remcos 
QuasarRAT AsyncRAT WellMess 
ELF PLEAD 


ag. 4 
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Supported Malware Families 
(Qanyrun app 
Ursnif 


Emotet 


Smoke Loader (Ё #AgentTesla 147 (164) 
Poisonlvy #NanoCore 146 (154) 
til okibot 142 (150) 


TOP10 last week's threats report: 


CobaltStrike #Servhelper #TA505 81 (10) 


NetWire #Formbook 75 (54) 
PlugX #Azorult 66 (39) 
ES #Trickbot 57 (11) 
EE #Ursnif 53 (60) 
QuasarRAT #njRAT 52 (69) 


ELF PLEAD ЕЗ #Hawktye 48 (47) 
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AZORult 
NanoCore RAT 
AgentTesla 
FormBook 
NodeRAT 
njRAT 
TrickBot 
Remcos 
WellMess 


2 : "m ® 
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Question 


Why use Volatility? 
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Advantages of Dumping Cor figuration Data from Memory 


No Need to Unpack — 


е Unpacking malware is not necessary 
when extracting configuration data. 


No Need to Decode 


e Configuration data may be already 
decoded. 

• No need to know how to decrypt 
configuration data. 
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| 


This tool also dumps more than configuration data if 
needed. 


е Configuration Data 


o Decoded Strings 
Ө DGA Domains 


Example (Bebloh configuration data and DGAs) 


mal@works:/opt/vol2.4$ python vol.py malconfscan -f mem.image --profile=Win7SP1x86 -p 2724 
Volatility Foundation Volatility Framework 2.4 

[+] Searching memory by Yara rules. 

[+] Detect malware by Yara rules. 


[+] Process Name : explorer.exe 
[+] Process ID : 2724 

[+] Malware name : Bebloh 

[+] Base Address(VAD) : 0x1B0000 

1-1 Size : 0х10000 


Process: explorer.exe (2724) 


[Config Info] 

RSA key : 0602000000a4000052534131000400000100010071406719fdbaf787464a0b6b1c4bb589e897b8a4e 
9cd2aee225c643e9afd3cb2c67ee4c4980a954c1ba7464d3e669be70177c76d3498383fdb7e6aad684d6911e722f238ee900659c0: 
afe2b2db12a882edaa5b83eba0843bcb12392f931d850681d4e7900b99f95d02d3cb9c 


Sleep count 6 

Seed URL : benistora.com/auth/ 
Sleep time : 180 

Botid : 6CEEC4FA6817A661A9 
Registry subkey : ecywhvdabais 
Network Chack : Enable 

Botnet : 000000000000001 
Registry key : 

DGA 0 : benistora.com 

DGA 1 : tndhxdvll.net 

DGA 2 : faqpohoit.com 

DGA 3 : mixjavydp.net 

DGA 4 : g5oqoa3f5.com 

DGA 5 : g5mvbekzi.net 

DGA 6 : Sqdgoaweg.com 

DGA 7 : zqynvek4u.net 

DGA 8 : rhvizax3c.com 

DGA 9 : ypygujsi2e.net 

DGA 10 : prs5c4jsi39h.com 
DGA 11 : zgf9p20jjkl.net 
DGA 12 : ckpj3ylqzfr9.com 
DGA 13 : 9jlctowlvueinc.net 
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Example (FormBook decoded Strings) 


mal@works:/opt/vol2.4$ python vol.py malconfscan -f mem.image --profile-Win7SP1x86 -p 1948 
Volatility Foundation Volatility Framework 2.4 

[*] Searching memory by Yara rules. 

[*] Detect malware by Yara rules. 


[+] Process Name : explorer.exe 
[+] Process ID : 1948 

[+] Malware name : Formbook 

[+] Base Address(VAD) : 0x7BD0000 
[+] Size : 0х142000 


Process: explorer.exe (1948) 


[Config Info] 
C&C URI 1 : www.trogmack.com/br/ 


Encoded string 0 : USERNAME 

Encoded string 1 : LOCALAPPDATA 

Encoded string 2 : USERPROFILE 

Encoded string 3 : APPDATA 

Encoded string 4 : TEMP 

Encoded string 5 : ProgramFiles 

Encoded string 6 : CommonProgramFiles 

Encoded string 7 : ALLUSERSPROFILE 

Encoded string 8 re Сору > 

Encoded string 9 : /c del " 

Encoded string 10 : \Run 

Encoded string 11 : \Policies 

Encoded string 12 : NExplorer 

Encoded string 13 : \Registry\User 

Encoded string 14 : \Registry\Machine 

Encoded string 15 : \SOFTWARE\Microsoft\Windows\CurrentVersion 
Encoded string 16 : Office\15.0\Outlook\Profiles\Outlook\ 
Encoded string 17 : NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ 
Encoded string 18 : \SOFTWARE\Mozilla\Mozilla 

Encoded string 19 : Mozilla 

Encoded string 20 : Username: 

Fnended «trina 21 * Вассмаога: 
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Additional Feature 


т malstrscan function can list strings to which the hollowed 


process refers. 


Configuration data is usually encoded 
by malware. 


Most of malwares writes decoded 
configuration data on memory. 


This feature list decoded 


configuration data when possible. 
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Example 


mal@works:/opt/vol2.4$ python vol.py malstrscan -f mem.image --profile=Win7SP1x86 -p 1260 


Volatility Foundation Volatility Framework 2.4 
[+] Searching for malicious memory space. 
[+] Detect Process Hollowing space. 


[+] 


Process Name 


: svchost.exe 


[+] Process ID : 1260 

[+] Base Address(VAD) : 0х15190000 
[+] Size : 0x3D000 
[+] Vad Protection : PAGE EXECUTE READWRITE 
Process: svchost.exe (1260) 
Ox151BESFC: SeDebugPrivilege 
0x151BE610: ntdll.dll 

0x151BE61C: RtlCreateUserThread 
0x151BE630: Advapi32.dll 

0x151BE640: RegDeleteKeyExA 
0x151BE650: open 

0x151BE658: kernel32 

0x151BE664: GetSystemWow64DirectoryA 
0x151BE680: kernel32.dll 

0x151BE690: GetNativeSystemInfo 
0x151BE6A4: IsWow64Process 
0x151BE6B4: com.%s.sdb 

0x151BE6C0: %s\cmd.%s.bat 
0x151BE6D0: username 

0x151BE6DC: \..\..\LocalLow\ 
0x151BE6F0: start "" "565" 
0x151BE700: "%%windir%%V%sViscsicli.exe" 
9х151ВЕ720: system32 

Ox151BE72C: syswow64 

0x151BE738: /q "ss" 
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linux malconfscan searches for malware in Linux OS 
memory images and dumps configuration data. 


Few malware supported: 
WellMess 
ELF PLEAD 
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DEMONSTRATION 


(i) MalConfscan 


MalConfScan Wiki 
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Pull requests Issues Marketplace 


MalConfScan wiki 


MalConfScan is å tility plugin extra 


Iwar 


list strir 


Somya sri 


Explore 


© Unwatch ~ 


B 


> Pages © 


Мапиа! 


NIALTA(RR) 


Clone this wiki locally 


Next Stage 


PS 
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Ld 


MalConfScan-with-Cuckoo is СисКоо Sandbox plugin 
for MalConfScan. 


The plugin adds the function to extract known malware's 
configuration data from memory dump and add the 
MalConfScan report to Cuckoo Sandbox. 


| 
M 
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How it Works 


H This tool uses Cuckoo's memory dump function to extract 
configuration data of executed malware from memory 
dumps. 


cuckoo 


@® volatility | ы 


І Analyze Dump 
(M)MalConfScan Memory Image 


Virtual Machine 


Extract 
Configuration! 


Web Dashboards быз 
er 
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Overview 
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@ Dashboard Recent %% Pending Q Search 


VM Memory Dump 


000090 


Process Name Malware Name 


iexplore.exe Himawari 


Config Field 


Server 


Server2 


Server3 


Server4 


Port 


о 
о 
ө 
е 
© 
9 
o 
о 


Process List Services Kernel Modules Device Tree Code Injection 


Messagehooks API Hooks Callbacks Yarascan SSDT IDT 


Base Address(VAD) 


0x04521984 


Config Value 


diamond.ninth.biz 


diamond.ninth.biz 


diamond.ninth.biz 


diamond.ninth.biz 


443 


TCP and HTTP 


2017-11-28-MACRO 


Q34894iq 


usotsuki 


Timers 


Size 


0x00815104 


Psxview 
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nation 


 Anti-Analysis functions disturbs the analysis in sandbox 


Some of the malware have these functions 
Ursnif variants (targeting Japan) etc. 
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Generic 
Language settings 
Execution after reboot 
Total physical memory 
Count of processors etc. 


Virtualization 
CPUID (CPU brand, virtualization setting, etc.) 
Device info (Device name, MAC address, etc.) 


Registry keys etc. 


Processes 
Process name (wireshark, OllyDbg, Process Monitor, etc.) 


32 Copyright 02019 JPCERT/CC All rights reserved. 


How to bypass anti-analysis 


Configure your VM. 
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How to conf 


gure you VM 


ШІ га (2 


.text:00401C02 44 24 10 eax, [esp+278h+enc warning msg] 
.text:00401C06 32 13 00 00 mal decode 0 


.text:00401COB D8 ebx, eax СР! | В d D t ti 
.text:00401COD C4 F7 FF FF mal chk cpuid ran e ec ION 
.text:00401C12 ce eax, eax 

.text:00401C14 12 z short loc 401С28 


ШІ са 2 

.text:00401C28 . D 
e" or gj D N Detect 

A ME F8 FF F ЗЭ adio dudas evice ame e ec ION 


.text:00401C2D test eax, eax 
.text:00401C2F jnz short loc 401С16 


. : FF : = 
нын келинин. чп каныш Boot-time Detection 


.text:00401C3C 27C 76 09 jbe short loc 401C47 


oe : mu" Debugger Detection 


.text:00401C45 75 CF short loc 401С16 
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bia a] ца 


eax, [ebp+var 3C] 


eax Call CPUID opcode to dump the 


pet Epi id brand 


CPU brand name. 


eax, [ebp+var 2С] 


eax mov eax, 8000000[2-4]h 


et cpu id brand : 
мээн __cpuid 

t cpu id brand 

ax, [ebp+var 3C] 
RE Check the CPU brand name if it 
cmp cpu brand includes “XEON”. 


Pax, еах 
short loc 481447 
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Fake the return value of CPUID with VM configuration 


Insert following settings to your .vmx file 


cpuid.80000002. 
cpuid.80000002. 
cpuid.80000002. 
cpuid.80000002. 
cpuid.80000003. 
cpuid.80000003. 
cpuid.80000003. 
cpuid.80000003. 
cpuid.80000004. 
cpuid.80000004. 
cpuid.80000004. 
cpuid.80000004. 


.eax - "0110:0101:0111:0100:0110:1110:0100:1001" 
.ebx = "0010:1001:0101:0010:0010:1000:0110:1100" 
.есх = "0111:0010:0110:1111:0100:0011:0010:0000" 
.edx - "0100:1101:0101:0100:0010:1000:0110:0101" 
.eax - "0011:0101:0110:1001:0010:0000:0010:1001" 
.ebx = "0011:0101:0101:1001:0011:0111:0010:1101" 
.ecx - "0101:0000:0100:0011:0010:0000:0011:0100" 
.edx - "0010:0000:0100:0000:0010:0000:0101:0101" 
.eax - "0011:0000:0011:0010:0010:1110:0011:0001" 
.ebx = "0000:0000:0111:1010:0100:1000:0100:0111" 
.ecx - "0000:0000:0000:0000:0000:0000:0000:0000" 
.edx - "0000:0000:0000:0000:0000:0000:0000:0000" 


© ® ® © © © Фф ® Фф © © 


© 
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Intel(R) Xeon(R) CPU E5-2665 0 @ 2.40GHz 2.39 GHz 


AT bs 
НИЕ: 


Fotvt: Intel(R) Core(TM) i5-7Y54 CPU @ 1.20GHz 2.59 GHz (2 FO 
ty) 


j i - - Le » Ч 1 7 Le р (Б). 
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if ( SetupDiGetDeviceRegistryPropertyA( 


we E] 
&DeviceInfoData, 


&RequiredSize) \ 
1 
Їрмет = lpMem; 
if ( стр string 
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Call Win32API to get the device 
name 


Check the device name includes 
specific strings 


Anti-Anti-Analysis: Modify the Device Name (VMware) 


Insert following settings to your .vmx file 


scsi0:0.productID = "Toshiba SSD" 
scsi0:0.vendorID = "Toshiba" 
scsil:0.productID = "Toshiba SSD" 
5С511:0.уепаог10 = "Toshiba" 
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40 


Recommended setting for Anti-Anti-Analysis 

™ Do NOT use VMware tools or VirtualBox guest 
additions. 

Use local language OS for VM 

— Modify the CPUID response 

— Modify the Device name 

— Modify the NIC (MAC address) 
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DEMONSTRATION 


| with 
(M)MalConrscan 


MalConfScan with Cuckoo wiki 
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зарат 


Pull requests Issues Marketplace Explore 


PCERTCC / MalConfScan-with-Cuckoo © Unwatch + Ж Star 49 V Fork 


ЕЕ Wiki 


MalConfScan-with-Cuckoo wiki » Pages © 


MalConfScan-with-Cuckoo is a Cuckoo Sandbox plugin extracts configuration data of known Manual 
ware. Cuckoo Sandbox is an open-source automated г y gin 
searches for known malware in the sandbox's memory images and dumps the configuration data 
n into your Cuckoo Sandbox and analyze the memory dump in 


o install Volatility, Yara and 


Dashboard И Recent of Pending Q Search 


C ormgutar &rarearey rissgorisa гат 625106 


6 


MalConfScan will support Volatility3. 
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JPCERT CC” 


ith-Cuckoo 


©) GitHub | 


en 9X ir-info@jpcert.or.jp 
PGP https://www.jpcert.or.jp/english/pgp/ 


